Adobe issues PDF security warning

Trent Nouveau, 8th September 2010

Adobe has confirmed that malicious hackers are exploiting an unpatched bug affecting its Acrobat and Reader PDF software.

The exploit was reportedly identified in a phishing attempt with an e-mail subject line of "David Leadbetter's One Point Lesson" that contained an infected PDF file.

"A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh," the company acknowledged in an emergency security bulletin issued this afternoon.

"The vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. [We are] in the process of evaluating the schedule for an update to resolve this."

Although Adobe remained tight-lipped and refused to elaborate, security firm Secunia offered its own description of the bug's methodology and termed it "extremely critical."

"[This] vulnerability has been discovered in Adobe Reader, which can be exploited by malicious people to compromise a user's system.

"[It] is caused due to a boundary error within the font parsing in CoolType.dll and can be [used] to cause a stack-based buffer overflow by tricking a user into opening a specially crafted PDF file."